Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using Google as Identity Provider causes org.springframework.security.jwt.crypto.sign.InvalidSignatureException #565

Closed
ghost opened this issue Mar 14, 2017 · 4 comments · Fixed by #577
Closed

Using Google as Identity Provider causes org.springframework.security.jwt.crypto.sign.InvalidSignatureException #565

ghost opened this issue Mar 14, 2017 · 4 comments · Fixed by #577
Labels
accepted Accepted the issue

Comments

@ghost
Copy link

ghost commented Mar 14, 2017

I followed the instructions here but got the error above. Had to add this to my custom yml configuration:

                tokenKeyUrl: https://www.googleapis.com/oauth2/v2/certs

If the solution has any merit I think the document should be updated.

Tks in advance.
@cf-gitbot
Copy link

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/141727349

The labels on this github issue will be updated when the story is started.

bleach pushed a commit to alphagov/paas-cf that referenced this issue Mar 21, 2017
Add tokenKeyUrl
a5b0902 
As per cloudfoundry/uaa#565
bleach pushed a commit to alphagov/paas-cf that referenced this issue Mar 23, 2017
Enable validation of google OIDC signatures
5c39938 
Prior to our v251 to v253 CF upgrade, logging in with google OpenID Connect
seemed to be working, however once we'd upgraded to v253 we encountered the
error: "There was an error when authenticating against the external identity
provider: Could not verify token signature."

As suggested in cloudfoundry/uaa#565, a tokenKeyURL
has been added.  https://www.googleapis.com/oauth2/v3/certs was used instead of
the URL suggested there, as this is the URL returned from
https://accounts.google.com/.well-known/openid-configuration
@bleach bleach mentioned this issue Mar 23, 2017
Merged
bleach pushed a commit to alphagov/paas-uaa that referenced this issue Mar 27, 2017
Add tokenKeyUrl to sample Google OIDC config
dc4742c 
Prior to our v251 to v253 CF upgrade, logging in with google OpenID Connect
seemed to be working, however once we'd upgraded to v253 we encountered the
error: "There was an error when authenticating against the external identity
provider: Could not verify token signature."

As suggested in cloudfoundry#565, a tokenKeyURL
has been added.  https://www.googleapis.com/oauth2/v3/certs was used instead of
the URL suggested there, as this is the URL returned from
https://accounts.google.com/.well-known/openid-configuration
@bleach bleach mentioned this issue Mar 27, 2017
Merged
@sreetummidi
Copy link
Contributor

@tnwang Is this the case. Does the doc need to be updated?

@tnwang
Copy link
Contributor

tnwang commented Jul 25, 2017

We should update the document so that people always use the latest information from https://accounts.google.com/.well-known/openid-configuration - it is mentioned but only for two fields. It should always be referenced for all values used, or configured as the discovery URL.

@tnwang
Copy link
Contributor

tnwang commented Aug 18, 2017

Closing this story as the March 27th merge had actually provided the fix in the specified document.

@tnwang tnwang closed this as completed Aug 18, 2017
@cf-gitbot cf-gitbot added delivered accepted Accepted the issue and removed scheduled delivered labels Aug 18, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
accepted Accepted the issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add tokenKeyUrl to sample Google OIDC config alphagov/paas-uaa
3 participants
@cf-gitbot @sreetummidi @tnwang